Summary: | <www-servers/bozohttpd-20100621: Multiple vulnerabilities (CVE-2010-{2195,2320}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | s4t4n, www-servers+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.eterna.com.au/bozohttpd | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2010-08-10 15:10:18 UTC
CVE-2010-2320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2320): bozotic HTTP server (aka bozohttpd) before 20100621 allows remote attackers to list the contents of home directories, and determine the existence of user accounts, via multiple requests for URIs beginning with /~ sequences. Unaffected version of bozohttpd has just been added to the tree. As soon as it gets stabilized we can hard mask the only affected version remaining. (In reply to comment #2) > Unaffected version of bozohttpd has just been added to the tree. As soon as it > gets stabilized we can hard mask the only affected version remaining. > Unless you have a very good reason why it should stay, it should be removed. Arches, please test and mark stable: =www-servers/bozohttpd-20100621 Target keywords : "x86" (In reply to comment #3) > Unless you have a very good reason why it should stay, it should be removed. Uh, well, yes, of course it should be removed ;-) x86 stable Wiped out affected version. (In reply to comment #7) > Wiped out affected version. > Please don't close bugs assigned to security@. GLSA vote: NO (In reply to comment #8) > Please don't close bugs assigned to security@. I have got a lot to learn, it seems :-) Vote: NO, closing noglsa, feel free to reopen if you thing otherwise. |